If you are responsible for GDPR compliance of your company or organization, your first steps in the operationalization of GDPR processes were, most likely, in Excel.
However, is there a better solution to manage GDPR processes than Excel?
• GDPR has changed the way companies manage personal data.
• Microsoft Excel is the starting point for most of them, but it fails as an operational tool for compliance.
• Are there any better solutions out there that can help you manage GDPR processes more efficiently?
EXCEL vs. GDPR software
They still struggle with basic GDPR requirements. Of course, in the case of the GDPR, it is hard to be sure you are 100% compliant since even the tiniest human error could lead to potential data leakages or data breaches. However, this doesn’t mean you shouldn’t strive to become compliant.
We have recently conducted research among DPO’s from 29 different companies that showed the majority still uses Excel for keeping their Records of processing activities. However, over 82% of them consider that Excel is not an optimal tool to manage the Records of processing activities.
Read the entire research here:
First compliance steps and GDPR challenges
Most Data Protection Officers turn to Microsoft Excel as the first tool for keeping the records of processing activities and for monitoring GDPR processes. Given the amount of personal data processed every day, it is a very delicate job to manage personal data of data subjects in the company’s IT systems.
However, as Colibra states, digital transformation has revolutionized the entire business, and your company’s approach to compliance might be the key differentiator for your business. Something your competition does not yet do in a fully transparent way.
If everyone is using Excel sheets and not making any progress in their compliance journey, is this really the best way to go? What will happen after years and years of keeping the Records of processing activities in Excel?
Can you imagine the confusion from all the alterations to the data sets that were impossible to supervise? The mess from the lack of the ability to apply any GDPR policies to your data sets?
Therefore, companies who tend to keep personal data in Excel files are facing enormous challenges that come with high risks. Take a minute to ask yourself if this kind of exposure represents a significant cost for your Organization in the long run, and if it represents a certain risk you have not taken into account.
Although Microsoft Excel does have an important application in everyday business, primarily because of its familiarity and accessibility, it will not enhance your company’s performance to meet GDPR requirements.
In the long run, the issues will pile up, and then it’s going back to step one and rethinking the way you monitor, supervise, administer, and orchestrate GDPR processes.
Consent and Preference Management tool
In their Market Guide for Consent and Preference Management, Gartner – the world’s leading research and advisory company, recommends implementing what they call a single source of truth.
A single source of truth is a centralized software that will help your company manage all GDPR related activities in a single place.
With GDPR fines going sky high, should companies stick to a tool like Excel, with very limited features for managing the compliance process?
If your company processes sensitive information or thousands of data subjects’ personal information, it is inevitable to move away from Excel to more specialized software solutions.
Functionalities of the GDPR software vs. Excel
A GDPR software that should untangle and set straight your compliance process should at least provide the following functionalities:
The GDPR Article 30 addresses your responsibility to keep a record of your company’s processing activities. Some companies, especially B2C companies, manage and store massive amounts of data that are hard to manage.
When using Excel there is also the difficulty of not being able to connect ROPA to different IT systems where you store data.
The solution you are looking for needs to provide these actions, and also track the change history so that the Data Protection Officer has a clear overview of data.
Most companies, small to big sized, hire Third-party vendors for professional services and products. In this case, sharing personal data is unavoidable, and data controllers hold the risks.
To protect your business from potential risks, it is advised to incorporate appropriate technical and organizational measures. In this case, having software that centrally manages third parties and guides your partners through vendor management process workflow is worth as gold.
Having real-time insight into the complete personal data lifecycle is highly improbable without the software solution, yet it is the first stepping stone in the GDPR compliance journey.
No Excel datasheet can ever track what is really going on with your GDPR activities. Some software can centrally manage notices and propagate them through all consent collection channels.
You need to provide the individual with information about their request without delay and within 30 days of receipt of the request.
You should look for the functionality that allows you to automate the flow of Data Subjects’ requests, supervise it, and manage through one central place.
Be transparent with your clients! Make sure they have access to their preferences and see the list of their consents, so that they can have the ability to opt-out if they want to, but also opt-into other consents through one interface.
Maybe your ideal scenario doesn’t involve your customers opting out, but that is the part of the process of having healthy and relevant marketing contact lists.
There is no value from having a list full of customers who do not find your content and offer valuable and relevant. In the long run, it is a very effective practice, like a process of decanting vine. It lets your contact lists breath and shows real data based on real numbers.
92% of customers stated that they would be more willing to trust a company with their personal information if they would have control over what information is collected about them.
If you want to know more about this research, read Data breach and (re)building customer trust.
Do you have trouble with identifying all personal data across IT systems? Make sure to have a highly precise identification of personal data across multiple company systems. It will save you more time than you think!
The software should help you discover personal data in your systems (cloud or on-premise). In the case of Data Privacy Manager, it connects to all relational databases of the company, making search inquiries, eliminating false positives, and identifying all personal information across multiple systems.
Manual data inventory can exhaust a lot of in-house resources with very questionable results.
When the client’s contract expires, or if he or she opts-out, the lawful basis for the processing of their data is no longer valid.
At this point, the archiving process should start, meaning that the purpose of processing has changed, which should trigger the data retention process.
Data retention policies are affected by your company’s decision, other laws, but make sure not to keep personal data more than you should.
The GDPR recommends data anonymization and pseudonymization as a solution for removing data from your systems. It is essential to know what data and when you need to remove it.
To understand the ins and outs of data removal download our eBook:
To avoid highly risky practices, you should understand how data processing activities in your company affect each data subject across systems. Lack of 360 overview can lead to an inability to properly manage their rights and requests, such as the Right to be Forgotten, but also to remove data when necessary.
Read more to see how can it help you on your way to GDPR compliance.
Nonetheless, the GDPR recommends you give your clients (that is, data subjects) access to their data and the ability to change their preferences and make other corrections of their data.
So why would you miss the opportunity to have a tailor-made serf-service interface that also increases the level of trust with your customers?
What message do you want to send to your clients and to the supervisory authority?
Managing the GDPR related activities in the software will help you save time, but also increase efficiency and let you focus on the actual everyday business.
Taking all the necessary measures that will make your company GDPR compliant will send the signal to the regulator that you do take GDPR and its meaning in business seriously.
Excel vs. GDPR software – Conclusion
To sum up, using Excel can be a starting point for most of the companies. However, as personal data processing gets more and more complex, as more employees can access it and change the data, it can be really hard to tell what is right and what is wrong with your current records, due to different employees making different, sometimes even unnecessary changes.
GDPR has changed the way companies deal with personal data, and drastic fines up to €20 million should warn you to take action towards the GDPR compliance in your company.
Make sure to fight the competition properly, make sure to be transparent with your clients, and become compliant by moving away from enormous Excel sheets managed by too many employees to using a GDPR software.